Add Snippet To Project
Do you want to enhance the privacy settings of your WordPress website by limiting user access to only the media files they upload? While WordPress organizes its media library available to every user with the ability to upload files, it doesn’t provide an out-of-the-box setting to confine users to their individual uploads. However, there are workarounds to put this much-needed restriction in place. This article provides a step-by-step guide on how to restrict users so they can only see and manage their own media library uploads in WordPress.
function wpturbo_restrict_media_library( $wp_query_obj ) {
global $current_user, $pagenow;
if( !is_a( $current_user, 'WP_User') ) { return; }
if( 'admin-ajax.php' != $pagenow || $_REQUEST['action'] != 'query-attachments' ) { return; }
if( !current_user_can('manage_options') ) {
$wp_query_obj->set('author', $current_user->ID );
}
return;
}
add_action('pre_get_posts', 'wpturbo_restrict_media_library');
The entire code snippet defines a function named wpturbo_restrict_media_library() which adjusts the WordPress database (DB) query to act with certain user restrictions, particularly for the Media Library. This function relies on WordPress hooks and global variables to restrict users from viewing any Media Library items that they themselves did not upload.
function wpturbo_restrict_media_library( $wp_query_obj ) {
global $current_user, $pagenow;This code begins by declaring the new function and taking the $wp_query_obj as an argument. This object represents the WordPress query that fetches posts from the database.
Then it manifests two global WordPress variables $current_user and $pagenow into the function’s scope. The $current_user variable carries data about the currently logged-in user, while $pagenow holds the name of the current page executable.
if( !is_a( $current_user, 'WP_User') ) { return; }This line helps the function verify if there is a user logged in and if they are an instance of WordPress’s WP_User class. If this is not the case, the function exits without making any changes.
if( 'admin-ajax.php' != $pagenow || $_REQUEST['action'] != 'query-attachments' ) { return; }Here the function checks the current page and the ongoing request to ensure it’s only acting on attachment queries from the admin-ajax.php page. If they’re trying to access any other page, the function again exits without further action.
if( !current_user_can('manage_options') ) {
$wp_query_obj->set('author', $current_user->ID );
}This part of the code is only run if the active user does not have the manage_options capability, which is normally reserved for roles like administrators and super-admins.
When such a user (e.g., a contributor, author, or subscriber) queries attachments, the function modifies the query to set the ‘author’ parameter to the current user’s ID. This means that when the database responds to the query, it will filter out posts (attachments/media library items) that were not authored by the current user.
add_action('pre_get_posts', 'wpturbo_restrict_media_library');Finally, the function wpturbo_restrict_media_library is hooked to the pre_get_posts action. This action hook allows our function to adjust the database query before it is performed. In-turn, our function gets the opportunity to modify the query and add the filtering we need. As such, when the query is executed, users not having ‘manage_options’ capability are only presented with the media library items they uploaded by themselves.